Password Management API for Application-to-Application Password Management

(Feature available only in Premium and Enterprise Editions)

If you have applications in your infrastructure that require connecting to other applications using a password, they can query PMP to retrieve the password. This way, the application-to-application (A-to-A) passwords can also follow good password management practices like periodic rotation, without the trouble of manually making the updates at many places. Same procedure can be used for Application-to-Database password management (A-to-DB).

How does A-to-A / A-to-DB Password Retrieval & Management Work?

The web API exposed by PMP forms the basis for A-to-A Password Management in PMP. The applications connect and interact with PMP through HTTPS. The application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PMP corresponding to that application. PMP makes it easier for applications by providing a command line script that abstracts the complexities of using the web API. The command line scripts invoke libraries that use the web API.

How to setup Password Management API?

When you want an application to use the PMP web API, first you should register the application with PMP, providing specific details on the application. PMP will then create an integration toolkit containing the libraries and the command line scripts. The application can then use the toolkit to perform password operations on the PMP repository. Follow the procedure detailed below to do this:

Step 1 - Downloading API Toolkit

  • Go to "Admin" >> "General" and click "Password Management API"
  • In the GUI that opens, click "Add Application" and provide details about your application. Fill-in the following details
  • Term Definition

    Application Name

    Name of the application in which you wish to deploy A-to-A password management using PMP

    DNS Name/IP Address

    This is required to establish communication between the application and PMP

    Resource Type

    Select the operating system in which the application runs. Only those operating systems that are listed in the drop-down are supported by PMP (at present Windows & Linux are supported)

    Operations Allowed

    Select the password management operations you wish to allow for the application - Creating Passwords / Resetting Passwords / Retrieving Passwords.

    Inherit the permissions of

    You need to set the password access permissions for the application. The application cannot be allowed to manage all passwords. It has to be allotted specific passwords accessible to it. PMP already has a comprehensive, well-defined access permissions for users. The application may be permitted to inherit the same access levels of one of the users of PMP. Select the name of the user from the drop-down.

  • Click "Save". Now, using the details provided by you, PMP will create a toolkit for the application
  • Click "Download Toolkit" and save the toolkit in the server where the application is running

Step 2 - Setting up PMP API in the application

As mentioned above, the application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PMP corresponding to that application. To make these settings,

Create SSL client certificate & private key

  • Create SSL client certificate & private key

Configurations for PMP API

  • Open a command prompt and navigate to the directory where you have installed the PMP API
  • Edit PMP_API.conf and set the absolute path of client certificate and its private key (that you created and stored as explained above) for the parameters ClientCertPath and ClientKeyPath

Step 3 - Creating truststore in Password Manager Pro Installation

  • This step is to create truststore in PMP for A-to-A / A-to-DB authentication. Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
  • For Windows

    importCert.bat <Absolute Path of client certificate created by you>

    For Linux

    importCert.sh <Absolute Path of client certificate created by you>

  • Restart PMP server

Important Note: The client certificate & private should be compulsorily present in the application server in which you want to use A-to-A / A-to-DB password management.

Commands to be included in your application for automatic A-to-A / A-to-DB password management

The above steps represent the completion of PMP API installation in the application. For automatic A-to-A password management, you need to use the following commands in your application invoking the API.

For Password Retrieval

Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

For Windows

PMP_API.bat RETRIEVE <Resource Name as present in PMP> <Account Name as present in PMP>

For Linux

PMP_API.sh RETRIEVE <Resource Name as present in PMP> <Account Name as present in PMP>

Executing the above command will return the password alone.

For Resetting Password Locally

Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

For Windows

PMP_API.bat RESET_LOCAL <Resource Name as present in PMP> <Account Name as present in PMP><New Password>

For Linux

PMP_API.sh RESET_LOCAL <Resource Name as present in PMP> <Account Name as present in PMP><New Password>

For Remote Password Reset

Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

For Windows

PMP_API.bat RESET_REMOTE <Resource Name as present in PMP> <Account Name as present in PMP><New Password>

For Linux

PMP_API.sh RESET_REMOTE <Resource Name as present in PMP> <Account Name as present in PMP><New Password>

Executing the above command will try to do remote password reset. If the operation succeeds, it will change the password in PMP too and will return the message "Password changed successfully". In case, remote password reset fails, it will not change the password in PMP and will return the message "Password reset failed".

For Creating a New Resource & an User Account

Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

For Windows

PMP_API.bat CREATE <Resource Name> <Account Name><Password>

For Linux

PMP_API.sh CREATE <Resource Name> <Account Name><Password>

Executing the above command will create a new resource and an account in PMP. If you do not give a password for the account, PMP will automatically generate one.

©2014, ZOHO Corp. All Rights Reserved.

Top